Privacy Policy

ReachMail Media Services, Inc. (RMS) respects the privacy and security of personal data.

I.  DEFINITIONS

A.    The terms “Collect,” “Consumer,” “Processing” (or “process”), “Commercial Purpose,” “Contractor,” and “Sale,” (including variations of such terms) shall have the meanings given to those terms under the CCPA – California Consumer Privacy Act (including California Civil Code § 1798.140).

B.    “Data Controller” means an entity that determines the purposes and means of the Processing of EEA Personal Data.

C.    “Data Processor” means an entity that Processes EEA Personal Data on behalf of a Data Controller.

D.    “EEA” means, for the purposes of this Policy, the European Economic Area, United Kingdom, and Switzerland.

E.    “EEA Data Protection Laws” means all data protection and privacy laws applicable to the Processing of EEA Personal Data under this Policy including, where applicable, the GDPR.

F.    “GDPR” (General Data Protection Regulation) refers to Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of EEA Personal Data and on the free movement of such data and any member state law implementing the same.

G.   “Personal Data” means “Personal Information.”

H.    “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, that may be (i) Processed at any time by RMS in anticipation of, in connection with, or incidental to the performance of the Policy, including any information provided by or received on behalf of Advertiser, or (ii) derived by RMS from such information.  Personal Information includes any data elements set forth in the CCPA and/or GDPR as applicable.

I.      Any capitalized term used but not defined herein shall have the meaning ascribed to it in the CCPA. 

 

II.  RESTRICTIONS ON THE USE OF PERSONAL INFORMATION 

A.    This Policy sets forth the terms and conditions applicable in compliance with the Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. (as may be amended from time to time) (the “CCPA”), the CAN-SPAM Act of 2003 and the GDPR (“Applicable Laws”).

B.    RMS is a Contractor under the CCPA. RMS shall Process Personal Information strictly as necessary to perform its obligations under the Policy and solely for the business purposes described in the Policy (or as otherwise agreed in writing by the RMS and the Advertiser) – “Permitted Purposes.” Except as provided in the Policy with respect to the Advertiser, RMS shall not: (a) Sell Personal Information; (b) Collect, retain, use, or disclose Personal Information for any purpose other than for the Permitted Purposes; or (c) retain, use, or disclose the Personal Information outside of the direct business relationship between RMS and Advertiser. For clarity, RMS shall not retain, use, or disclose Personal Information for a Commercial Purpose other than the Permitted Purposes.

C.    RMS may continue to Collect, retain, use, disclose, or otherwise access Personal Information to the extent the Policy and the Applicable Laws permit and provided that: (i) such information is aggregated, deidentified, or anonymized so it no longer constitutes Personal Information; and (ii) RMS does not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data.

 

III.  COMPLIANCE and CERTIFICATION

RMS hereby certifies, represents, warrants and covenants that it understands its obligations under the Applicable Laws (including without limitation those set forth in Section II above) and that it shall comply at all times with the Applicable Laws and this Policy, and shall provide Advertiser with all reasonably requested assistance and cooperation to enable Advertiser to comply with and fulfill its obligations under the Applicable Laws. Without limiting the foregoing, RMS shall, upon Advertiser’s request, cooperate in good faith with Advertiser to modify the terms herein and/or enter into additional terms to address any modifications, amendments, or updates to the Applicable Laws and/or other industry guidelines (including, without limitation, those issued by the Interactive Advertising Bureau). If the Permitted Purposes require the Collection of Personal Information on the Advertiser’s behalf, RMS will always provide CCPA-compliant or GDPR-compliant, as the case may be, privacy notices to Consumers.

 

IV.  CONFIDENTIALITY OF PROCESSING

RMS shall ensure that any third party (person or entity) that is authorized to process the Personal Information (including, without limitation, RMS’s staff, agents and subcontractors – collectively, “RMS Personnel”) shall enter into, and be bound by, the policy with the same terms and requirements as are contained herein, including without limitation, a strict duty of confidentiality and data security (at a minimum, in accordance with the corresponding terms in the Policy). RMS shall not provide Personal Information to, or permit the Processing of Personal Information by, any third party who is not so bound and, in each case, without the Advertiser’s advance written approval. RMS shall ensure that all RMS Personnel only process the Personal Information as necessary for the Permitted Purpose and that they will be responsible and liable for any such third RMS and Advertiser’s acts and omissions to the same extent as if they were by RMS.

 

V.  INQUIRIES

A.    In the event that RMS receives an Inquiry (as defined below), other than from law enforcement, relating to any Personal Data RMS received in relation to the Advertiser, RMS shall: (a) notify Advertiser in writing of the Inquiry within two (2) business days (or such other time period as Advertiser may specify in writing from time to time); (b) comply with all instructions from Advertiser regarding the response to such Inquiry; (c) if requested, promptly (and in any case, within seventy-two (72) hours) provide Advertiser with copies of documents relating to the Inquiry; (d) not refer to Advertiser in any correspondence or other response to the Inquiry without Advertiser’s prior written consent; (e) not disclose any confidential information of Advertiser to the applicable individual, third party, or authority without the Advertiser’s prior written consent; and (f) in a timely manner, notify Advertiser of, and permit a representative of Advertiser to attend, any relevant inspections or proceedings. RMS shall take all other measures as requested by Advertiser to respond to or otherwise address the Inquiry adequately and in a timely manner. As used herein, “Inquiry” means any request, correspondence or complaint (including rights of access or deletion, as applicable) received from a Consumer, or other individual or regulatory authority, in connection with the Processing of Personal Information.

B.     Law Enforcement Requests. In the event that RMS receives a subpoena or court order in relation to a criminal investigation or proceeding that seeks to compel production of any personal data RMS received in relation to the Advertiser, RMS may attempt to redirect the inquirer to request that data directly from Advertiser. As part of this effort, RMS may provide the Advertiser’s basic contact information to the inquirer. Otherwise, subject to the foregoing and Section V. D., RMS shall proceed as articulated in Section V. A.

C.      Data Protection Authority Inquiries. RMS shall provide commercially reasonable cooperation to assist Advertiser in its response to any requests from data protection authorities with authority relating to the Processing of EEA Personal Data under the Policy and this Policy. In the event that any such request is made directly to RMS, Section V. B. shall govern RMS’s response thereto.

D.     No Obligation to Violate Law, Subpoena, Order. Nothing herein requires the RMS to violate any law, subpoena or order, or otherwise expose itself to criminal liability.

 

VI.  REQUESTS TO DELETE

Upon Advertiser’s request at any time, RMS shall promptly delete an individual’s Personal Information from RMS’s records. In the event RMS is unable to delete the Personal Information for reasons permitted under the Applicable Laws, RMS shall (i) promptly inform Advertiser of the reason(s) for its inability to comply with the deletion request, (ii) ensure the continued privacy, confidentiality and security of such Personal Information (in accordance with the terms herein, the Policy and all applicable laws, rules and regulations), and (iii) delete, and certify such deletion to the Advertiser, the Personal Information promptly after the reason(s) for RMS’s refusal to delete has(have) expired or otherwise become(s) inapplicable.

RMS shall, to the extent legally permitted, promptly notify Advertiser if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s EEA Personal Data, or a request to restrict Processing. Advertiser shall provide RMS with commercially reasonable cooperation and assistance in relation to the handling of a data subject’s request, to the extent legally permitted and to the extent RMS does not have the ability to address the request independently.

To the extent either party does not have the ability to independently correct, amend, or delete Personal Data, or block or restrict Processing of Personal Data, then at one party’s written direction and to the extent required by any Applicable Laws, the other party shall comply with any commercially reasonable request to facilitate such actions.

 

VII.  SECURITY

A.    Security Measures.  Each party shall implement and maintain commercially reasonable technical and organizational security measures appropriate under applicable data protection laws to protect the Personal Information from: (1) accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access; and (2) unauthorized or unlawful Processing (each, a “Security Incident”).  The technical and organizational measures implemented by RMS and the Advertiser must ensure a level of security commensurate with the risks presented by the nature and Processing of such Personal Information and help ensure the ongoing confidentiality, integrity and availability of Personal Data and Processing systems, in accordance with its own standards as well as the measures referred to in Article 32 of the GDPR.  Such measures shall, at a minimum, meet the requirements set forth in the Policy (if applicable) and meet or exceed industry standards and best practices.  RMS shall also ensure that all RMS Personnel receive appropriate training regarding the requirements herein with respect to CCPA and EEA compliance, privacy and data security, and, if requested by Advertiser, shall promptly certify in writing that such training has taken place.

B.     RMS and the Advertiser understand that, under normal circumstances, RMS will not retain the Personal Data conveyed to Advertiser.

C.     Notwithstanding the above, each party agrees that except as provided by the law or this Policy, it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from Advertiser and taking any appropriate steps to securely encrypt or backup any Personal Data transmitted to the Advertiser.

D.   Security Incidents. In addition to any obligations set forth in the Policy and applicable law, upon becoming aware of any actual or reasonably suspected Security Incident, each party shall inform the other party without undue delay, and in any event within twenty-four (24) hours following the discovery of such actual or reasonably suspected Security Incident. The breached party shall make reasonable efforts to identify the cause of the Security Incident and shall undertake the steps it deems necessary and reasonable in order to remediate the cause of such Security Incident. The breached party shall provide information related to the Security Incident to the other party in a timely fashion and as reasonably necessary for it to maintain compliance with applicable law.

E.    Each party shall cooperate with a breached party, including without limitation, by providing it with all information necessary or otherwise requested by the breached party, in order to investigate such Security Incident (including without limitation, the names of all individuals who are affected by the Security Incident and the date, time and cause of such Security Incident). Each party shall, at their own sole expense, take all measures and actions necessary internally and/or within their control to remedy or mitigate the effects of any Security Incident and shall keep the other party informed of all developments in connection with such investigation, remediation, and mitigation. Unless required by law, each party shall not issue any notification or other communications to any individuals impacted by or regulatory bodies applicable to a Security Incident of the other party without the other party’s prior written consent.

F.    Deletion or Return of Data. Upon termination or expiration of the Policy, RMS shall destroy (or, at the Advertiser’s election, return to Advertiser or its designee) all Personal Information (including all copies and backups of the Personal Information, whether in written, electronic or other form or media) in its possession or control (including any Personal Information provided to any RMS Personnel). If RMS is required by applicable law to retain some or all of the Personal Information, RMS shall (and shall ensure that RMS Personnel) protect such Personal Information pursuant to the terms herein (and prevent any further Processing of such information) and shall destroy or return the Personal Information in accordance with this provision as soon as retention of the Personal Information is no longer required.

 

VIII.  ASSESSMENTS and AUDITS

A.    At the Advertiser’s request, not more than once annually (unless required by a competent data protection authority or in the event of a Security Incident), RMS shall permit Advertiser (and/or its representative or designated third party auditor, each, an “Auditor”) to audit RMS’s compliance with this Policy. At the Advertiser’s request, RMS shall give Advertiser and/or its Auditor access to RMS facilities and shall make available all information, database, systems and personnel reasonably necessary in connection with such audit. RMS shall promptly remedy any deficiencies revealed by any such audit. Additionally, Advertiser may, at its sole discretion, terminate the Policy if any such audit determines that RMS is not in compliance with the Applicable Laws, or any other applicable data privacy or security law, rule or regulation.

B.    RMS shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by the Advertiser regarding the Processing of Personal Data, including responses to information security reviews that are necessary to confirm RMS’s compliance with this Policy.

C.    Provided, however, that an on-site audit or inspection may not be performed unless Advertiser reasonably believes that (a) RMS is not complying with this Policy and (b) it is necessary to determine RMS’s compliance with this Policy.

D.    Notwithstanding the foregoing, RMS will not be required to disclose any proprietary or privileged information to Advertiser or an agent or client of Advertiser.

E.     Advertiser shall be responsible for all costs incurred by RMS in complying with this Section unless an audit determines RMS willfully or knowingly failed to comply with this Policy.

 

IX.  OBLIGATIONS

A.     RMS Obligations. RMS shall ensure that RMS is entitled to transfer the relevant Personal Data to Advertiser so that Advertiser may lawfully use, Process, and transfer the Personal Data in accordance with the Policy. The RMS shall not provide to Advertiser any special categories of Personal Data set forth in Article 9(1) of the GDPR or any national laws adopted pursuant to the GDPR, including any genetic or biometric data and data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition, sexual life, sexual orientation, or any data concerning the commission or alleged commission of any crime or offense. RMS shall ensure that the relevant third RMS and the Advertiser have been informed of, and have given their consent to, such use, Processing, and transfer as required by any applicable Data Protection Law and acknowledges that Advertiser is reliant on RMS for direction as to what extent the Advertiser is entitled to use and Process the Personal Data.

B.     Mutual Obligations. RMS shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage.

 

X.  EEA SPECIFIC TERMS

A.    Roles; Processing of EEA Personal Data by RMS and Advertiser. As between Advertiser and RMS, Advertiser is the Data Controller of EEA Personal Data, and RMS is a Data Processor of EEA Personal Data. RMS agrees that (i) it shall comply with its obligations as a Data Processor under EEA Data Protection Laws in respect of its Processing of EEA Personal Data; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under EEA Data Protection Laws for Advertiser to Process EEA Personal Data and provide the products and services pursuant to the Policy and any exhibit thereto (the “Services”).

B.    Details of Processing of EEA Personal Data. The subject matter and duration of the Processing of the EEA Personal Data are described in this Policy. The nature and purpose of the Processing of EEA Personal Data are providing the Services. The types of EEA Personal Data that may be Processed include contact information, such as email address, phone number, and address, job roles and responsibilities, and information relevant to the purchasing needs of the data subjects’ employers. The Processing of EEA Personal Data pursuant to this Policy will pertain to individuals including employees and contractors of third RMS and the Advertiser and, in particular, that may constitute the Advertiser’s business prospects and contractors. The obligations and rights of RMS and the Advertiser are set forth in the Policy and this Policy.

C.     For purposes of the EEA, the Advertiser may be considered both the Data Controller and Data Importer for whom the Personal Data has been collected.

D.    International Transfers. RMS and the Advertiser agree that this Policy constitutes appropriate safeguards to transfer EEA Personal Data to a third country pursuant to Article 46 of the GDPR. With respect to EEA Personal Data protected by GDPR that RMS Processes under the Policy or any associated exhibit in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data (i) any applicable contractor from whom RMS obtains the Personal Data to convey to the Advertiser is the data exporter, and the Advertiser is the data importer.

 

XI.  INDEMNIFICATION

A.    In addition to (and without limitation of) the indemnification obligations in the Policy, RMS and the Advertiser shall each indemnify, defend, and hold harmless the other party from and against any and all costs, liabilities, demands, claims, damages, expenses, judgments, fines, penalties, and losses, whether at law or in equity, whether pursuant to contract or otherwise (including arising in tort, by statute or other grounds), including without limitation, attorneys’ fees, paralegal fees and legal costs of any kind and nature whatsoever arising out of or relating to
(a) the breach of this Policy including, without limitation, any of the representations, warranties or covenants herein by the indemnifying party or its personnel,
(b) a Security Incident determined to have been caused by the indemnifying party or its personnel; and/or (iii) the negligence or willful misconduct of the indemnifying party or its personnel.

B.    In addition to (and without limitation of) the indemnification obligations in the Policy, RMS shall indemnify, defend, and hold harmless the Advertiser from and against any and all costs, liabilities, demands, claims, damages, expenses, judgments, fines, penalties, and losses, whether at law or in equity, whether pursuant to contract or otherwise (including arising in tort, by statute or other grounds), including without limitation, attorneys’ fees and legal costs) of any kind and nature whatsoever arising out of or relating to RMS’s compliance with Section V.

C.    Notwithstanding any other policy between the RMS and the Advertiser (including the Policy), the RMS and the Advertiser indemnification obligations under this Policy shall not be subject to any disclaimer of damages, cap on liability, or other limitation of liability.

 

XII.  SURVIVAL.

The terms of this Policy shall survive termination or expiration of the Policy.

 

XIII.  GENERAL.

Except as expressly set forth herein, the terms of the Policy shall remain unmodified and in full force and effect. This Policy shall be executed as part of the Policy.